This is an attack on implementation details, not the underlying physics of quantum mechanics. The title could have been a little better. This is (apparently; my only source is the submitter, as he's also the source in the article) the first working exploit of a quantum cryptography system that was able to steal the key without being detected.

You're exaggerating your point (eg. by talking about dragons and warp drive). One of the articles suggests you might mitigate this attack with a relatively simple extra verification step. This attack depends explicitly upon "blinding" a detector with light "above the intensity threshold" (certainly this is oversimplified). That's an attack on implementation details. Certainly I didn't mean to say that building a QC system is all "implementation details"; that would just be stupid. This one point that was at

I think I made the point well.... since neither perfect emitters/detectors, dragons or warp drives exist.Since these items don't exist, then the problem needs be be examined in the light of what actually does exist.

The fact that the detector has an intensity threshold isn't an implementation detail, it a part of the underlying physics. Point me to a detector that doesn't have one.You can't just replace the detector with a different one that doesn't have this problem, you have to make the QC system more com

People are used to regular crypto, where the task of computing the result of a basic mathematic function can be safely left to hand-waving. You can do RSA with a computer, or longhand on a piece of paper. The properties of the computer aren't an assumed part of the way the system works. With QC, it is assumed that pieces of hardware behave in very specific ideal ways. You can't buy parts that work like that, you have to use real parts. Therefore the system design, and explanations of how a real system works need to account for that.

I still think (from my fuzzy understanding of this attack) that it uses a specific implementation detail that depends upon the system used, and might be relatively easy to patch. Maybe they can use different wavelengths of photons, one for a test and one not--I don't have the expertise to say how much of a redesign is necessary. The article makes it sound like it's not a huge deal, and the Toshiba guys say in one of the other articles that their system isn't susceptible

I still think (from my fuzzy understanding of this attack) that it uses a specific implementation detail that depends upon the system used, and might be relatively easy to patch. Maybe they can use different wavelengths of photons, one for a test and one not--I don't have the expertise to say how much of a redesign is necessary. The article makes it sound like it's not a huge deal, and the Toshiba guys say in one of the other articles that their system isn't susceptible to these attacks when properly operated.

Currently the problem is quite general, because most quantum cryptosystems today use detectors of the vulnerable type. We think it is patchable, just not by the approach the Toshiba group practices, but patchable. (We dislike Toshiba's approach for not being general and thorough, but more of a quick band-aid.) During the past 20 years there were a couple problems of similar magnitude in quantum crypto, and they were solved. Note that similar problems periodically show in implementations of classical crypto.

The future of quantum crypto will now be decided, from one side, by the market, and from another side, by publicly disclosed mathematical developments on various classical ciphers (which can be cracked overnight, but can also be proven more secure... I'm not a mathematician so I won't venture a guess for the odds of either). In quantum cryptography there is at least one well-engineered commercial system, several advanced commercial prototypes (Toshiba has one), and the hacking efforts are going to eliminate all easy loopholes in a reasonable time. It is also important how well quantum cryptography can be meshed into networks with many nodes and links. There have been several demonstrations of quantum crypto networks, the latest in Japan last year.

The current commercial systems (like ID Quantique's Cerberis [idquantique.com]) use quantum cryptography as an extra security layer on top of classical crypto. To get to the master key used to encrypt the data, one needs to crack both quantum key distribution and classical key distribution at the same tme. We temporarily compromised the quantum layer in this work, but in a commercial installation the data security would hang on the classical crypto, until the quantum layer is patched. Of course the security of the symmetric ciphers (normally AES with frequent key changes) used for high-speed data encryption is another question, but I think there is also an option to establish a low-bandwidth highly-secure channel encrypted by one-time-pad. The whole reason AES is offered with quantum crypto is that the performance of the classical crypto has spoiled everybody, and the users do not want to separate communication into high-security and low-security categories. They just want to encrypt the whole 10 Gbps link, so this is the default option.

Of course the security of the symmetric ciphers (normally AES with frequent key changes) used for high-speed data encryption is another question

Especially since AES can be quite vulnerable to side channel attacks, maybe even more so if implemented in hardware. AES should be used for less blocks than triple DES. Then again, it might be hard to come by another hardware accellerated cipher that has been researched as extensively - I suppose triple DES is out of the question. Maybe one of the other AES candidates or even Threefish could be used instead (or on top of AES, we're talking highly secure systems here).

Quantum computing, quantum cryptography, etc. are pretty common categories here on/. and I really don't know anything about either. Now, the question is... should I be alarmed for not being up to date here? Or is this stuff that really won't become relevant for 90% of software engineers outside academia for quite a long while? (I mostly develop web services and mobile applications but I still expect to work in this field for quite a few decades and if this is something that software engineers should unders

The original patent on quantum cryptography was for a banknote with trapped photons. These could only be read once, so you had to know the polarization axis of the of the photons to read their state. This was a wonderfully batty idea, and a useful explanation of what is known and what isn't known about a quantum state.

However, when you go into actual implementations of quantum communications, you find the hacking techniques are much the same. Here, they are trying to send out a single photon. If a real l

They can't tell the difference between the quantum signal they are supposed to be detecting and a faked signal using classical light pulses. Man-in-the-middle attacks are fairly straightforward for classic light signals since they aren't changed when someone else intercepts them.

LDO. People seem in t rush to point this out on every/. crypto story. "This wasn't a problem with the math, but a problem with the implementation". Yes, that's how almost all attacks work. Attackers don't generally go after the strongest link in your cryptosystem, you know.

My silly RSA tokens (2 on them cluttering my keyring now!) are worthless not because the math was bad, but because the attackers found a better avenue of attack. That's not in any way comforting.

It is just as silly to say that the attack was on quantum cryptography here as it would be to say an armored truck was robbed when someone pretending to be from the armored truck company convinced the bank to give them the money before the truck arrived.

Ha, nice one. That's been studied in depth of course: there just aren't enough rich people to make that work (and people have a historically proven tendancy to either hide or defer income, or just be lazy, if you crank the marginal rates up too high). I believe the medicare liability exeeds the combined net worth of all American citizens, companies, and corporations - but we'll just fail to pay that out, as opposed to the $130k each we're stick owing.

I believe the medicare liability exeeds the combined net worth of all American citizens, companies, and corporations

Really? Do you have a citation on that? It would be good to know. That would resolve the question of whether we are (potentially) solvent or not.

- but we'll just fail to pay that out, as opposed to the $130k each we're stick owing.

Yeah, for all the talk of defaulting on the national debt, it is forbidden by the constitution. Unless we can get a constitutional amendment, we'll be letting old people die in the streets before we default.

This is really not true at all. Not only do they need at least a 1024 qbit computer at least, it still needs a massive amount of operations (both classical logic and quantum operations). Current optimistic estimates for a quantum computer still put it in the slower than classical or still so slow that it doesn't matter. And all you need to do is add a single bit to your key, since you cannot emulate a larger register than what you have in quantum computing.

The fact that they had to invent a name for a bit on quantum computers is where I knew to jump off the train.

Its a bit, there is no need to call it a qbit, it represents the same thing, the smallest amount of information we use in computers. It is either 1 or 0.

The fact that it gets called a qbit instantly lets anyone with a clue know that this is a marketing gimmick and there is no useful value to quantum computing at this time. You don't have to call useful things by new entirely different wanna be tren

Anyway, all it takes is qbit count to hit the "~doubling every ~two years" phase typical of many technologies, and we'll be in kiloqbit range in no time (well, to decades, but anyway). Of course it could be that in our universe, this is impossible, but if it's merely very difficult, then there tend to be workarounds found for practical problems, after technlogy becomes commercially profitable and regular R&D cycle gets properly started.

Only thing is that complexity of a quantum computer is *not* linear with qbits, its quadratic or far worse (exponential). We are currently only seeing linear growth of qbits, and even that is a stretch since the number of logic operations is very very limited.

Of course there could be a breakthrough. But even then things like the factoring of numbers still needs a massive amount of qbit operations in addition to classical operations. On top of all that we have only a handful of useful algorithms on these

They are not. Even though this type of BS can be read in the press quite often. Unless you assume we get quantum computers than can hold arbitrarily long entangled state. If we do not have that, just make the RSA key length one single bit longer than the longest entangled state that computations can be done on and the quantum computer is useless. (Dirty secret of quantum computing: You cannot combine calculations on large elements from computations on smaller elements.)

Ad for symmetrical ciphers, brute-forcing with quantum computers requires 2^(n/2) tries instead of 2^n tries. You still have to do each try and you have to model the whole cipher, which requires, e.g. for AES-256 in a known-plaintext-attack (which is the easiest one) to hold 2x128 bits for known plaintext and ciphertext, 256 bit for the key. That is already 512 qbits you need. Then you need to represent AES internal state and do computation. This easily adds another 512 qbits of state. Then you need to do something like 8000 x 2^128 quantum computations, retaining entanglement. As far as I can tell, each of this computation steps will be vastly slower than a conventional step as you need to manipulate the entangled set of qbits from the outside. And you cannot parallelize! Throwing two quantum computers at the same problem takes exactly the same time as when using only one.

We are currently where? 5 entangled bits when actual computations are done on them? After 2 decades of research. This leads me to believe that if they will ever work at all, quantum computers will not be able to crack current crypto for a very, very long time.

It might have to do with the fact that if/when someone gets a quantum computer RSA and ECC are effectively hosed. At that point, without a viable replacement, the world economy as we know it would disappear.

If we ever invent a real QC capable of running shors algorithm to break useful codes before our sun turns into a white dwarf the worlds economy is in for one hell of a roller coaster ride at warp 9 into the future.

My money is on it never being possible due to the decoherence tax. It stinks of something for nothing. I hope I'm wrong.

There is no sane reason. RSA may be eventually broken, as there is still no security proof for it. But ElGamal has a strong mathematical security proof and is unlikely to ever be broken. ECC serves to reduce key-sizes and, afaik, has at least weaker security proofs. The important thing is however that they do scale, i.e. longer key gives better security. No such property is present in Quantum signaling. (No, it is not crypto.)

Then there is a second dirty secret: Quantum signaling is only for key distributio

Then there is a second dirty secret: Quantum signaling is only for key distribution. The actual communication is done with conventional block ciphers like AES. This completely invalidates the concept, even if you assume Quantum signaling to be eavesdropper-proof, because RSA/ElGamal is likely much more secure

That's insane... what they should do is use public key crypto secured transmission of private keys.

And encrypt the data payload in a CBC mode, with random shared quantum inputs used to manipulate th

Using what you describe, you have produced random unusable gibberish on the output.

You can't throw randomness into cryptography, contrary to common belief. Everything has to be known or calculatable in order for the original data to be extracted from the encryption.

Cryptography is VERY complex math, nothing more at this point, with the general idea intended to be to make it take a minimum amount of time to decrypt the data, but making that time long enough to prevent brute forcing from being viable and not

Using what you describe, you have produced random unusable gibberish on the output.

Not really. If you generate some random data and transmit it over the quantum channel, both endpoints to the communication have the shared quantum secret, with an agreed upon hash, and agreed upon method of using the data and proper synchronization of the two data streams, they will both come up with the same thing, and the recipient will be able to inverse a simple XOR.

In case you've tried and hit one of the many hand-waving walls here is the brief because I'm not the type to just be snide and say RTFM:

So you have a sender and a pair of receivers. You (sender) have one of the receivers. You send an entangled pair of photons down the lines. Here is trick one: those two photons will have the same polarization but you don't know what it is till you measure it.

Agreed. This article will advance his career, so getting it on Slashdot leads, indirectly, to financial benefit for him. That said, I agree with the GP that it's deserved - and it really is news for nerds.

I'll bite this troll. I typed this submission because

1. I think what we do is cool, and is interesting to Slashdot readers (I read Slashdot daily myself).
2. I can formulate what we have done better and include most relevant links, comparing a random submitter who has just read a news story.
3. Yes! I am 37 and I do not nave a tenure yet! Every bit helps:). Unfortunately, really, I do not think anybody is going into science for money.

I doubt the technology will ever be there. Physics always comes with uncertainty margins and plain errors. So far quantum theory is not well founded enough (1. It is incomplete, see e.g. the Higgs-Boson 2. It is inconsistent with Relativity) to base any strong security guarantees on it. Also, encryption done well (no, the quantum stuff is not crypto) does the job and fits neatly into the layer model at different places, depending on your application. There is absolutely no sane reason to do security at lay

As with most recent vulnerabilities in Cryptography (no, the quantum stuff is not crypto, it is signaling with special physical properties), the attack goes against the implementation. This did not stop several companies and a lot of fanbois to claim "unbreakability". I hope you have learned something.

As with most recent vulnerabilities in Cryptography (no, the quantum stuff is not crypto, it is signaling with special physical properties), the attack goes against the implementation. This did not stop several companies and a lot of fanbois to claim "unbreakability". I hope you have learned something.

I seriously doubt it. In my experience, people's memories are selective - anyone who's made that claim (and yes, I remember reading several such statements) likely will deny it now.

Unbreakable in principle and unbreakable in reality are two very different claims. One is reasonable, assuming some principles of theoretical physics, while the other is silly to mildly informed people.

I wonder what principle of quantum information ever changed? Or can you give any example of a few-decades-old principle of theoretical physics that looks silly today?
Theories embrace new details, the underlying interpretation and math can totally change, but in 'normal' conditions (low gravity, low speeds or macroscopic scales, depending on the theory), they converge to classical principles. So all you need to assume in quantum cryptosystems is its pretty simple old principles and "Eve doesn't have a super

In terms of physical theory, Quantum Theory is not old. Nor is is well-proven, as there are a few new discoveries every year at the moment. So far, it mostly pans out, but there are no guarantees. Think mechanics. For a long time it was the perfect theory. Then some people started to measure more precisely than ever before, and suddenly it turned out to be a rough approximation. So, for example "Doc" E.E. Smiths idea of interstellar travel looks quite silly today. There is absolutely no reason Quantum theo

So, in summary, it is not a good idea to rely on physical theory, which has the status of Hypotheses when it comes to practical implementations, when we have actual mathematical theory (which is still hard fact when implemented digitally) that already solves the problem well.

Except that we don't really have "actual mathematical theory", either. No one currently knows how to factor products of large primes efficiently, but it has not been proven that integer factorization is NP-complete, nor are we entirely sure what NP-completeness means (c.f. P=NP). Worse, we haven't even proven that factorization is the only way to defeat RSA -- it's possible there's another way. Finally, RSA and other asymmetric ciphers also suffer from practical implementation issues. RSA in particular

For RSA you are right. For ElGamal your information is outdated, as a solid lower bound proof exists. There are also proofs for other DLog based crypto. It is just a bit harder to implement and a bit slower. Also, I guess, RSA had more commercial backing with the (IMO bogus) patent on it.

Quantum Signaling has neither and is eminently impractical in addition. As to plain hard, when we at least have mathematics, that is something solid. For the Quantum stuff we do not have complete observations, we have imple

ElGamal's proof assumes the Diffie–Hellman assumptions, which are quite strong. Actually every modern asymmetric key encryption algorithm's security would imply the existence of one-way functions, which in turn would imply P!=NP - as far as my outdated information goes, we don't have a proof of that yet. But even if I'd trust P!=NP, there's a lot of other ways the strongers assumptions could fail, e.g. maybe your particular key is one of those 10% that's easy to revert.

P!=NP is convenient, but not needed for one-way functions. It is enough that you have a scalable higher effort in one direction, p!=NP merely gives you a set of easy ways to get that.

Saying "quantum information theory is shaky" is not crazy at all. History shows that any physical theory was disproven, except the at that time current one. There is absolutely no reason (except arrogance) to assume we not have it right.

As to why this is not encryption: From Wikipedia: "encryption is the process of transforming

Which part of "The existence of one-way functions would imply P!=NP." don't you understand?
On the other hand P!=NP doesn't imply the existence of one-way functions (one-way is a _stronger_ assumption), so no, even P!=NP doesn't give you easy encryption (as far as our knowledge goes today). And ElGamal's security is based on an _even stronger_ assumption that the discrete logarithm is a one-way function - there's no simple reason to believe that it's true.

When the eavesdropping is "in channel", doesn't require material access to the transmitting medium, the eavesdropping could be the fastest, preferred, mode of signaling on the link. Spinning the quantum wheel of "how associated" is the linked topology is going to precede what state info gets distributed most widely, therefore presenting the highest possibility of sync to another signal in the system - dominating it. So modulating the the wheel's state is going to get ahead, leaving everyone on the signal an

Lets assume for a second the quantum hardware itself works perfectly as advertised and cannot be compromised.

You still need classic (Such as a symmetric key) information to prove alice and bob are talking to each other rather than to malices quantum MITM proxy server.

Has anyone proved a perfect quantum OTP source improves actual security vs use of a zero knowledge algorithm to establish the same? Even if such an algorithm does not yet exist... Is it possible to construct one? Has it been shown this is not

Zero-knowledge authentication is impossible by definition. If you know nothing secret about someone, you can never verify his identity.

A small pre-shared key is used for initial authentication, in all classical and quantum crypto alike, to preclude a man-in-the-middle (MITM) attack. In the classical public-key infrastructure (PKI), this authentication key comes from the certicficate authority with, e.g., your copy of the web browser. If it is spoofed at the distribution step, MITM attack becomes possible.